Email is the easiest brand channel to impersonate. As a domain owner, your job is to make it hard for attackers to spoof your From: address and to give receiving mail servers strong signals to trust your legitimate messages. This guide walks through the core controls—SPF, DKIM, DMARC—plus transport and reporting standards (MTA-STS, TLS-RPT) and a visual trust layer (BIMI).
Goals
- Stop spoofing and reduce phishing sent “from” your domain.
- Preserve deliverability for legitimate providers (your own SMTP, SaaS mailers, support tools, CRM).
- Gain visibility with aggregate and forensic reports to tune policies safely.
1) SPF — Authorize Senders by IP/Domain
SPF (Sender Policy Framework) is a DNS TXT record listing the hosts allowed to send mail for your domain. Receivers check the connecting IP against this list.
Type: TXT
Name: @
Value: v=spf1 ip4:203.0.113.10 include:_spf.google.com include:sendgrid.net ~all
ip4:
/ip6:
your outbound mail server(s).include:
authorized third-party senders (e.g., Google Workspace, SendGrid, Mailgun).- End with
~all
(softfail) while testing; move to-all
(fail) once confident.
Tip: Keep SPF < 255 chars per string; use multiple strings if needed and mind the 10-lookup limit.
2) DKIM — Sign Mail with a Private Key
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each message. Receivers fetch the public key from DNS and verify the signature.
Type: TXT
Name: selector1._domainkey
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0B...QIDAQAB
- Selector (e.g.,
selector1
) lets you rotate keys without downtime. - Publish
p=
with your public key; keep the private key in your MTA or email provider. - Sign the same header domain you show users (helps DMARC alignment).
3) DMARC — Policy, Alignment, and Reporting
DMARC tells receivers what to do when SPF/DKIM fail or don’t align with the visible From: domain. It also sends you reports so you can tune safely.
Type: TXT
Name: _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc-agg@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com;
adkim=s; aspf=s; fo=1; pct=100
p=none
to start (monitor only). Later:quarantine
thenreject
.rua
aggregate (XML) reports;ruf
optional forensic samples (PII caution).aspf
/adkim
strict (s
) for strong alignment or relaxed (r
).pct
can phase in enforcement (e.g.,pct=25
→pct=100
).
MAIL FROM
for SPF, d=
for DKIM) must align with the visible From: domain (per aspf/adkim
).
4) MTA-STS — Enforce TLS for SMTP
MTA-STS lets you require TLS for mail delivery to your domain, preventing downgrade (STARTTLS stripping) attacks.
- Publish the policy via DNS:
Type: TXT Name: _mta-sts Value: v=STSv1; id=20240116
- Serve the policy via HTTPS (must be on
mta-sts.yourdomain.com
):GET https://mta-sts.yourdomain.com/.well-known/mta-sts.txt version: STSv1 mode: enforce mx: mail.yourdomain.com max_age: 86400
5) TLS-RPT — Receive TLS Failure Reports
TLS-RPT sends you JSON reports from receivers about TLS delivery issues.
Type: TXT
Name: _smtp._tls
Value: v=TLSRPTv1; rua=mailto:tls-rpt@yourdomain.com
6) BIMI — Display Your Logo in Supporting Inboxes
BIMI shows your verified logo when you have strong DMARC enforcement (usually p=quarantine
at 100% or p=reject
).
Type: TXT
Name: default._bimi
Value: v=BIMI1; l=https://yourdomain.com/bimi/brand.svg; a=https://yourdomain.com/bimi/vmc.pem
l=
SVG Tiny-PS logo;a=
optional Verified Mark Certificate (required by some providers).
Rollout Plan (Safest Path)
- Inventory senders. List every service that sends mail for your domain (product, marketing, support, CRM, billing).
- Publish SPF (softfail). Add includes for each provider; watch lookups (≤10) and keep it tidy.
- Enable DKIM everywhere. Generate per-provider keys; rotate with new selectors.
- Deploy DMARC at
p=none
. Collectrua
reports; validate alignment across providers. - Fix alignment issues. Adjust From: domains, set custom DKIM domains, or route through authorized MTAs.
- Move to enforcement.
p=quarantine; pct=25
→pct=100
→p=reject
when confident. - Add MTA-STS & TLS-RPT. Enforce TLS and monitor failures.
- Optional: BIMI. After DMARC enforcement, publish BIMI records and VMC if required.
Testing & Troubleshooting
SPF lookups (mind the 10-lookup limit):
dig +short TXT yourdomain.com
DKIM DNS (replace selector):
dig +short TXT selector1._domainkey.yourdomain.com
DMARC DNS:
dig +short TXT _dmarc.yourdomain.com
MTA-STS fetch:
curl -s https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
TLS to MX (verify STARTTLS):
openssl s_client -starttls smtp -crlf -connect mail.yourdomain.com:25
Common Pitfalls
- SPF “permerror” due to too many DNS lookups or nested
include:
s. - DKIM selectors published but provider not actually signing mail.
- DMARC alignment failing because marketing tools use a different visible From: domain.
- MTA-STS policy served on the wrong host or with invalid TLS cert.
- Rolling to
p=reject
before all legitimate senders are covered.
rua
XML across receivers. It simplifies spotting misconfigured senders and alignment gaps.
With these building blocks in place—and a cautious rollout—you’ll dramatically reduce spoofing risk, strengthen brand trust, and improve delivery rates for legitimate mail.
NOC — Authoritative DNS, CDN & WAF
Accelerate and protect your sites with global DNS, edge caching, and an always-on web application firewall.
See Plans